CVE-2021-25784

Vulnerability

Taocms v2.5Beta5 contains a blind SQL injection vulnerability in the Edit Article function. The flaw resides in the id parameter of the admin/admin.php?action=cms&id=...&ctrl=edit endpoint. An authenticated user with column administrator privileges can inject SQL commands via the id parameter. The official description confirms the vulnerability is present in version v2.5Beta5 [1].

Exploitation

An attacker must first authenticate as a column administrator. The reference demonstrates a proof-of-concept by sending a request to /admin/admin.php?action=cms&id=30+and+1=3&ctrl=edit. Because the injection is blind, the attacker observes differences in the application's response to infer whether injected conditions are true or false. This allows step-by-step extraction of data from the database [1].

Impact

Successful exploitation enables an authenticated column administrator to perform blind SQL injection, leading to unauthorized disclosure of database contents. This could include user credentials, configuration data, or other sensitive information stored in the database. The attacker does not gain direct remote code execution but can extract arbitrary data from the database [1].

Mitigation

No official patch or fixed version has been released for Taocms v2.5Beta5 as of the publication date. Users are advised to restrict access to the admin panel to trusted users and monitor the vendor's repository for any updates. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].